Analysis
-
max time kernel
117s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe
-
Size
772KB
-
MD5
9e8388274066861ecf159c212e153ec1
-
SHA1
6ba52b3cca249625bce6de2fdf98002b7f476cde
-
SHA256
f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174
-
SHA512
33a2a84cde6543aa464f4439d7db57e7debe6c87b7537b2b349da843b015b99cbd1d5dc70b347a6e8fcfa000652669cabc2e539748a5e127fdea72673915618c
Malware Config
Extracted
Family
vidar
Version
47.9
Botnet
937
C2
https://mas.to/@kirpich
Attributes
-
profile_id
937
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/964-57-0x0000000002100000-0x00000000021D6000-memory.dmp family_vidar behavioral1/memory/964-58-0x0000000000400000-0x00000000004D9000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1812 964 WerFault.exe f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1812 WerFault.exe 1812 WerFault.exe 1812 WerFault.exe 1812 WerFault.exe 1812 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1812 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1812 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exedescription pid process target process PID 964 wrote to memory of 1812 964 f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe WerFault.exe PID 964 wrote to memory of 1812 964 f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe WerFault.exe PID 964 wrote to memory of 1812 964 f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe WerFault.exe PID 964 wrote to memory of 1812 964 f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe"C:\Users\Admin\AppData\Local\Temp\f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 13042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/964-54-0x00000000002ED000-0x000000000036A000-memory.dmpFilesize
500KB
-
memory/964-55-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/964-56-0x00000000002ED000-0x000000000036A000-memory.dmpFilesize
500KB
-
memory/964-57-0x0000000002100000-0x00000000021D6000-memory.dmpFilesize
856KB
-
memory/964-58-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1812-59-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB